Industrial Control System Security

Transcription

1 RECOMMENDATION: IT IN PRODUCTION Industrial Control System Security Top 10 Threats and Countermeasures 2014 BSI Publications on Cyber-Security Manufacturing and process automation systems collectively termed Industrial Control Systems (ICS) are used in almost all infrastructures handling physical processes. Applications range from energy production and distribution, gas and water supply to industrial automation, traffic-control systems and state-of-the-art facility management. These ICS are increasingly exposed to the same cyber threats as conventional IT systems. In light of the increasing frequency of incidents and newly discovered weaknesses, there is an urgent need for asset owners to address these issues. In doing so, they have to consider the risk and damage potential of untargeted malware as well as targeted, high-quality, specific attacks against ICS infrastructures executed with significant effort. This is true for infrastructures directly connected to the Internet, but equally so for infrastructures that can be targeted indirectly by cyber attacks. In the context of its analyses and cooperation with industry partners on cyber security, the BSI has compiled a list of the current threats with the highest criticality faced by ICS at the present time. The identified threats are presented using the following structure: 1. Description of the problem and causes: Presentation of the causes and determining factors contributing to the presence of a weakness or a threat situation. 2. Potential threat scenarios: Description of the specific potential to use the determining factors illustrated in the preceding paragraph to carry out an attack. 3. Countermeasures: Description of options currently assessed as suitable to counter the threat and to minimise the residual risk. The present summary document can and should not be considered a complete list of threat scenarios and countermeasures. Rather, the described scenarios are intended to illustrate the scope of the associated threat. The cited countermeasures represent potential starting points to counter the associated threats and allow a first assessment of the total effort required for defence. In the end, it has to be tested for each individual use case and assessed in the context of a risk analysis if any or which specific countermeasures are suitable and which alternative countermeasures may be necessary. Efficiency and cost-effectiveness, among others, have to be taken into account. Compatibility with running operations and the real-time and safety requirements in force has to be ensured in any case. In addition, the implementation of safeguards must not lead to the loss of warranty or support services. For the first time, the present Top 10 include a simple assessment of the resulting risks as well as a self-check for initial individual evaluation of your own security level. Aspects of functional security (safety) are not explicitly addressed, however. BSI-CS 005 Version 1.10 from 03/26/2014 Page 1 of 20

2 Threats and their Consequences Threats to an ICS result from attacks or events which can potentially cause damage to the ICS, and therefore to the associated enterprise, due to existing weaknesses. The following table offers an overview of the most critical threats for ICSs. New for this version of the Top 10 is a differentiation between primary attacks and subsequent attacks. The focus is on primary attacks used by the threat agent to penetrate into industrial facilities, whereas subsequent attacks allow attacks on or access to additional internal systems. No. (old no.) Top Top (2)(3) Malware Infection via Internet and Intranet Unauthorised use of remote-maintenance access 2 (6) Introduction of Malware on Removable Media and External Hardware Online attacks via office / enterprise networks 3 (-) Social Engineering Attacks on standard components used in the ICS network 4 (5) Human Error and Sabotage (D)DoS attacks 5 (1) Intrusion via Remote Access Human error and sabotage 6 (-) Control Components Connected to the Internet Introduction of malicious code via removable media and external hardware 7 (10) Technical Malfunctions and Force Majeure Reading and writing messages in the ICS network 8 (-) Compromising of Smartphones in the Production Environment Unauthorised access to resources 9 (-) Compromising of Extranet and Cloud Components Attacks on network components 10 (4) (D)DoS Attacks Technical malfunctions and force majeure Key: NEW OMITTED (subsequent attack) Starting from these primary attacks, an attacker can penetrate further into the enterprise with each subsequent attack. The following figure serves to illustrate the connection: Figure 1: Sequence of primary attack and follow up attack including associated damage BSI-CS 005 Version 1.10 of 03/26/2014 Page 2 of 20

3 Subsequent attacks include in particular: Readout of login details to increase privileges: Standard IT components present in an industrial environment, such as operating systems, application servers or databases, usually contain errors and weaknesses that threat agents can take advantage of. Unauthorised access to additional internal systems: Insiders or subsequent attacks in particular have an easy job if services and components in an enterprise or control network do not use adequate methods for authentication and authorization. A subsequent attack of this kind can e.g. happen in the form of a brute force or dictionary attack on authentication mechanisms. Manipulation of fieldbus communication: Due to most control components currently communicating via plaintext protocols and therefore without any protection, little effort is usually required to read, manipulate or load control commands. Manipulation of network components: Threat agents can manipulate components such as routers or firewalls to e.g. override security mechanisms or reroute data traffic. The implementation of measures to counter such subsequent attacks should be carried out after establishing basic protection against primary attacks, in the context of a so-called defence in depth concept 1. Insufficient organisation and lack of knowledge or human error favour attacks and facilitate subsequent attacks. In addition, they impede the detection of attacks as well as sanitizing and restoring systems after a successful attack. The potential associated damage can take many forms and has to be assessed as rather critical: Loss of availability of the ICS / loss of production Data leakage / loss of know-how (intellectual property) Causing physical damage to facilities Triggering of safety procedures or interfering with safety systems Deterioration of product quality The corresponding countermeasures further below form the first line of defence; their implementation carries the highest priority. 1 BSI-CS 005 Version 1.10 of 03/26/2014 Page 3 of 20

4 Assessment Criteria The hierarchy of threats results from an analysis of aspects such as e.g. the group of perpetrators, the prevalence and exploitability of the weaknesses as well as the potential technical and commercial consequences of an attack. The following criteria can e.g. be used for the individual assessment of the threats an enterprise is facing: Prevalence: How prevalent is the potential vulnerability in the enterprise? Exposure: How easily can the vulnerability be located and reached? Exploitability: How easy is it to exploit the vulnerability (technical expertise and required effort)? Detection: How easily can a compromising action be detected? RARE (1) LOW (1) DIFFICULT (1) EASY (1) MODERATE (2) MODERATE (2) MODERATE (2) MODERATE (2) FREQUENT (3) HIGH (3) EASY (3) DIFFICULT (3) The primary attack methods cited in the present document have been assessed in advance using these criteria. The experience gathered from specific security incidents and feedback from industry partners form the basis for this. You can and should, of course adapt this preliminary assessment individually to the actual situation in the enterprise in order to establish your own top 10 of the most critical threats. The order of threats in this Top 10 is the result of a simple addition of the scores for the criteria listed above. In order to evaluate the risk for your own enterprise, you should on the one hand assess the particular countermeasures individually with respect to their technical or organisational feasibility. This assessment should go hand in hand with a cost estimation of the respective countermeasure. On the other hand, it is particularly important to individually assess the business impact i.e. the (especially financial) consequences for the enterprise for each case. This usually has to be done by the asset owner with due regard to the determining factors and the potential subsequent attacks. BSI-CS 005 Version 1.10 of 03/26/2014 Page 4 of 20

5 1.Malware Infection via Internet and Intranet FREQUENT (3) HIGH (3) EASY (3) DIFFICULT (3) Description of the problem & causes Enterprise networks use standard components (commercial off-the-shelf, COTS) such as operating systems, web servers, databases, browsers or clients. New weaknesses of these components are discovered almost 2 every day. As these networks are usually connected to the Internet whether for web access or these systems can be accessed easily by threat agents. Already in an office network, a threat agent can sometimes obtain critical information. These COTS components are increasingly common in ICS networks. In theory, the office and ICS networks are separated by the so-called air gap, i.e. there is no direct connection between these networks. In particular with the increasing prevalence of Ethernet-based networks for ICS applications and their increasing interconnection with systems in enterprise networks ( , file servers, enterprise systems etc.), however, this has changed in most cases. Threat agents succeeding in penetrating into the office network can often work their way forward into the ICS network in a subsequent attack. The relationship between office network security and ICS network security is often not evident. Responsible office network staff are often unaware of the fact that compromising action in this area can have substantial consequences for the security of ICS networks. Access from the ICS network or a network close to ICS to other networks especially the Internet can result in targeted as well as untargeted attacks. Potential threat scenarios 1. Exploitation of known weaknesses or so-called zero-day exploits, i.e. of previously unknown attacks that cannot yet be recognised by antivirus products or the like. 2. Manipulation of external web pages, e.g. in order to carry out a drive-by download and, in doing so, infect the victims without any user interaction, i.e. by simply accessing the website. 3. Carrying out attacks on enterprise web pages (e.g. SQL injection, cross-site scripting etc.). 4. Components are infected by untargeted malware (e.g. worms), limiting their functionality or availabilty. Countermeasures 1. Maximum isolation of the different networks (segmentation) by firewalls and VPN solutions to exclude attack routes leading to the ICS network to a large extent. Isolation of unprotected / unpatchable systems ("secure islands ). 2. Use of conventional safeguards at the perimeter (e.g. firewalls, antivirus software) or on the ICS (e.g. application whitelisting, antivirus software). 3. Limitation of freely available information within the enterprise (e.g. on file servers or in databases) in order to impede leaking of critical information (need-to-know principle). 4. Regular and timely patching of operating systems and applications in the office and back-end networks and, where possible, in the ICS network. 5. Monitoring of logfiles for unusual connections or connection attempts. 6. Optimal hardening of all IT components (services, computers) used in office and ICS environments. 2 Colour-coded vulnerability scale, BSI-CS 005 Version 1.10 of 03/26/2014 Page 5 of 20

6 2.Introduction of Malware on Removable Media and External Hardware FREQUENT (3) HIGH (3) MODERATE (2) DIFFICULT (3) Description of the problem & causes Removable media such as USB flash drives are very widely used. Company employees often use them both in the office and ICS networks. They also frequently take them home, e.g. to continue working there or bring the latest music to work. External employees often carry their own removable media, too. The use of notebook computers with external data and maintenance software, potentially used by external maintenance staff at different companies, is also widespread and carries comparable risks. Due to the history of ICS, security awareness is limited in many cases to the aspects of availability, safety and physical security, such as access restrictions and protection from external influences. Employees are often unaware of the effects caused by malware, on the other hand. Potential threat scenarios 1. USB flash drives may have been infected in the office network or in a private environment. This way, malware can find its way directly into ICS networks. 2. Notebook computers used for maintenance may have been infected when accessing the Internet, office networks or in the infrastructure of the respective service provider. As soon as they are then operated in the ICS network, the systems and components there are infected with malicious code. 3. Project files or executable applications can contain malicious code leading to an infection or data leakage. Countermeasures 1. Introduction of strict organisational standards and technical controls with regard to removable media: a. Cataloguing and whitelisting of approved removable media. b. Security perimeter for removable media (virus protection and file whitelisting, provided on a computer using a different operating system than the maintenance computers). c. Exclusive use of in-house, possibly personalised removable media. d. Exclusive use in the ICS network. e. Physical barriers preventing (unauthorised) connection of USB devices using resin, USB locks or desoldering on circuit boards. f. Full encryption of data media. 2. Introduction of strict organisational standards and technical controls with regard to external notebook computers used for maintenance: a. Exchange of data only via removable media, subject to the controls stated above. b. Introduction of quarantine networks for access of external service providers. c. Scanning the brought-in notebooks for weaknesses before accessing the actual system. d. Full encryption of maintenance notebook computers kept with the asset owner. BSI-CS 005 Version 1.10 of 03/26/2014 Page 6 of 20

7 3.Social Engineering HIGH (3) HIGH (3) EASY (3) MODERATE (2) Description of the problem & causes Social engineering is an approach intended to gain unauthorised access to information or IT systems by usually non-technical means. Social engineering exploits human characteristics such as the willingness to help others, trust, fear, or respect for authority. Theses characteristics are often used by threat agents as a diversion strategy to entice employees to act without thinking or without due care. A typical example for this are fraudulent websites on the Internet promising prizes such as a smartphone, a holiday trip or a free game, but subsequently infect the victim's system with malware. Potential threat scenarios 1. Phishing attacks used by a threat agent to obtain victims' login details through fraudulent messages or to distribute malware. 2. Spear-phishing attacks used by a threat agent to attack a usually small number of targets, but with s adapted precisely to the targeted persons. Public information taken from company websites or social networks, among others, is used for this purpose. 3. A threat agent may also gain unauthorised access to a building by confident and friendly demeanour or by providing false information (e.g. acting as a service technician). Countermeasures 1. Organisation of target audience-specific security awareness training. 2. Organisational safeguards: Compilation and enforcement of security policies. a. Identification and classification of information valuable to the enterprise. b. Introduction of confidentiality and/or privacy agreements not only for in-house staff, but also for partners and service providers. c. Policies for the destruction of information printed on paper (e.g. shredding). d. Secure disposal of digital storage media. e. Regulations for handling of mobile devices (privacy film, storage in a safe etc.). 3. Introduction of alarm channels for incidents and also for suspicious behaviour. These should be defined and communicated and should not entail any negative consequences for staff. 4. Use of technical safety mechanisms to enforce the applicable regulations and for automatic detection of misconduct or attacks (e.g. device control or access control). BSI-CS 005 Version 1.10 of 03/26/2014 Page 7 of 20

8 4.Human Error and Sabotage FREQUENT (3) HIGH (3) DIFFICULT (1) DIFFICULT (3) Description of the problem & causes Staff working in an ICS environment are in a special position with regard to security. This is true for in-house staff as well as all external personnel, e.g. for maintenance or construction, no matter if they have access to facilities or work from a remote location. Security can never be guaranteed by technical controls only, but always requires organisational regulations. Potential threat scenarios 1. Incorrect configuration of components relevant for security (e.g. firewall) or network components, but also of ICS components. 2. In particular, the uncoordinated installation of updates or patches can lead to problems with the functionality of individual components and their interaction. 3. Side-effects of intentional actions need to be considered (damage to devices and installations, placing of covert listening devices etc.). 4. Compromising of systems by unauthorised software or hardware. This includes e.g. games, digital cameras, smartphones or other USB devices of operators. 5. Creation of unreleased configurations for infrastructure and security components (e.g. adding a firewall rule to allow unauthorised access from outside via mobile endpoints). The scenarios described above can generally be triggered by espionage and sabotage, but also by carelessness and human error. In particular, incidents of this kind can lead to a significant limitation of availability due to organisational shortcomings. Many compromising situations are only possible because of such shortcomings. Countermeasures 1. Introduction of the "need to know" principle: Knowledge of system details, passwords etc. as well as access to sensitive data only if necessary. 2. Creation of a general framework for motivated, qualified and connected staff to ensure operator and administrator competence for functional as well as security-specific components. Qualification and training programmes, as well as awareness-raising measures, are to be designed sustainably and should be compulsory. 3. Disabling of internet access for control systems and systems in close proximity to the production environment as well as provision of components for tasks separate from the ICS, available for operators e.g. for office, , ERP etc., sufficiently secured and integrated into a different network. 4. Introduction of standardised processes for recruitment and staff leaving the enterprise as well as external contractors (product suppliers, service providers). 5. Suitable standards (policies & procedures) for the handling of technical systems by staff (e.g. handling of removable media, communication behaviour for and social networks, password policies, installation of individual software etc.). 6. Introduction of suitable policies, in particular for critical processes in the ICS network: For example, standards concerning security and configuration management regulating the involvement of security experts and other relevant roles in order to ensure that changes or updates are implemented only after they have been consulted. In this context, it is important to document all agreements and make additional arrangements (e.g. four-eyes principle). 7. Automatic monitoring of system health and configurations. 8. Secure filing of projects and configurations. BSI-CS 005 Version 1.10 of 03/26/2014 Page 8 of 20

9 5.Intrusion via Remote Access FREQUENT (3) MODERATE (2) MODERATE (2) DIFFICULT (3) Description of the problem & causes External access for maintenance purposes is very common in ICS installations. Poorly secured access e.g. via default passwords or even hardcoded passwords is a common issue. External access via Virtual Private Networks (VPN) are sometimes not limited with regard to the available systems, i.e. additional systems are accessible via maintenance access to a specific system. Among the major causes are a lack of authentication and authorisation as well as flat network structures. The respective product suppliers and external service providers are often contracted for maintenance and programming of components. This means additional challenges for security management as this requires the harmonisation of the security concepts of several parties. Potential threat scenarios 1. Direct attack on an access point used for maintenance, e.g. by a. a brute-force attack on password-protected access points, b. re-use of a previously recorded token, c. web-specific attacks (e.g. injection or CSRF) on access points used for maintenance. 2. Indirect attack via the IT systems of the service provider for which the external access was created, e.g. a. trojans exploiting the access directly on the external maintenance computer, b. theft of passwords, certificates or other tokens or other ways of acquiring the required login details, e.g. by bribing / blackmailing staff possessing such privileges, c. use of stolen notebook computers with software configured for external access. Countermeasures 1. Default users / passwords of a product supplier (delivery condition) should be blocked / deleted (acceptance protocol). 2. Use of sufficiently secure authentication procedures, e.g. pre-shared keys, certificates, hardware tokens, one-time passwords and multi-factor authentication through possession and knowledge. 3. Protection of the transmission route through encryption, e.g. by SSL/TLS. 4. Sufficiently granular segmentation of networks to minimise the "reach" of remote access. 5. Setup of access point for remote maintenance in a demilitarised zone (DMZ) so that service providers first connect to a DMZ instead to the ICS network and obtain the required access to the target system only from there. 6. Remote access must always be routed through a firewall permitting and monitoring access to the target system. This is limited to the release of only those IP addresses, ports and systems required for maintenance. 7. Enabling of remote access by internal personnel only for the duration and the purpose of remote maintenance. 8. Logging of remote access to ensure traceability. Additional processes should be used to ensure that the logged data are evaluated and archived. 9. All means of access must be personalised, i.e. no use of functional accounts used by more than one person. Only one login per user is allowed at a time. 10. Auditing for this kind of systems / means of access. BSI-CS 005 Version 1.10 of 03/26/2014 Page 9 of 20

10 6.Control Components Connected to the Internet LOW (1) HIGH (3) EASY (3) DIFFICULT (3) Description of the problem & causes Despite the recommendations of product suppliers, ICS components such as programmable logic controllers are often connected directly to the Internet. However, these types of devices often do not feature sufficient security levels as they are found in standard IT. In addition, (timely) installation of patches is not possible for these controls if a weakness is discovered implementing additional security mechanisms is urgently required. Potential threat scenarios 1. Retrieval of control components by common search engines ("Google dorks ), specialised search engines such as Shodan or custom internet scans. 2. Direct access to unprotected components or use of publicly available default passwords to perform unauthorised operation and manipulation. 3. Exploitation of weaknesses in available services, such as web interface (WWW), FTP, SNMP or TELNET for access to components or to limit their availability. Countermeasures 1. No direct connection of control components with the Internet. 2. Hardening of the configuration of control components (disabling unneeded services, changing default passwords etc.). 3. Use of additional controls, such as firewalls and VPN solutions. 4. Timely updating (updates / patches) of vulnerable products if possible. BSI-CS 005 Version 1.10 of 03/26/2014 Page 10 of 20

11 7.Technical Malfunctions and Force Majeure FREQUENT (3) HIGH (3) DIFFICULT (1) EASY (1) Description of the problem & causes It is impossible to exclude software errors in security-specific components and ICS components that may lead to unexpected malfunction, as well as potential hardware defects and network failures. Hardware defects in particular are more probable in certain application scenarios due to the existing environmental conditions (dirt, temperature etc.) if the necessary precautions are not taken. Potential threat scenarios 1. Component defects, e.g. failure of hard disks or switches, cable breakage etc. during runtime leading to immediate failure. 2. Both hardware defects and errors in software components can remain undiscovered for a long time and may not become a problem until e.g. systems are restarted or a certain constraint applies. 3. Software errors can cause a system to fail. For example, an update of the operating system of a central security component can lead to a system malfunction after a required restart. In particular, incidents of this kind can lead to a significant limitation of availability due to organisational shortcomings. Countermeasures 1. Establishing a business continuity management including aspects such as potential countermeasures, procedures for system recovery, alternative communication options and conduct of drills. 2. Provision of exchange or replacement devices. 3. Provision and use of test and staging systems used to test patches, updates and new software components thoroughly before they are installed on production systems. 4. Use of standardised interfaces not developed by the product supplier. This minimises the risk of undiscovered gaps. 5. Redundant design of important components. 6. For the selection of used systems and components, sufficient minimum requirements have to be made and enforced according to the identified need for protection. Some important aspects in this context are: a. Trustworthiness and reliability of the product suppliers, b. robustness of products, c. existence of suitable security mechanisms (e.g. secure authentication), d. long-term availability of spare parts, updates and maintenance, e. timely availability of patches, f. open migration paths, g. no use of unneeded product features. A sound foundation for these and other aspects can be found in a white paper by the BDEW (German Federal Association of the Energy and Water Industries) %20V1.1% pdf BSI-CS 005 Version 1.10 of 03/26/2014 Page 11 of 20

12 8.Compromising of Smartphones in the Production Environment LOW (1) HIGH (3) MODERATE (2) DIFFICULT (3) Description of the problem & causes Displaying and modifying operation or production parameters on a smartphone or tablet is increasingly marketed and used as an additional product feature for ICS components. This constitutes a special case of remote-maintenance access adding additional attack vectors through the use of smartphones. Potential threat scenarios 1. Theft or loss of smartphones. 2. Attack on the smartphone by additional programs reading insufficiently protected information on the device. 3. Attack on the communication channel of the smartphone with the ICS component: a. Logging of communication with the ICS. b. Replay attacks through sending of recorded communication. c. Reverse engineering of the used application or the used protocol. d. Man-in-the-middle attacks. Countermeasures 1. Limitation of access to ICS systems via smartphone to read access. It should be impossible to modify operation or production parameters. 2. Use of products or included features of the operating system for access protection, protection against malware and remote deletion function (mobile device management). 3. No manipulations which are forbidden or critical to security (jailbreaking, rooting) may be carried out on smartphones. 4. Smartphone applications must be obtained from a certified source (App Store). Ideally, apps are audited and distributed centrally by the IT department. 5. Use of encrypted connections (VPN). 6. Assessment whether the benefits of smartphone use outweigh the risks. 7. No use of apps for direct access to ICS. Indirect, encrypted access via a secured terminal server providing the required programs only. BSI-CS 005 Version 1.10 of 03/26/2014 Page 12 of 20

13 9.Compromising of Extranet and Cloud Components LOW (1) MODERATE (2) MODERATE (2) DIFFICULT (3) Description of the problem & causes The trend common in conventional IT to outsource IT components is now also gaining traction in the ICS sector. This usually does not concern components directly controlling actual processes, as latency will usually prevent real-time requirements from being fulfilled, for example. However, the number of providers of externally operated software components in the area of data capture and processing on historians, for the calculation of complex models for the configuration of machines or the optimisation of manufacturing processes (Big Data) has been continually increasing. Security-specific components are also occasionally offered as a cloud-based solution. For example, providers of remote-maintenance solutions place the client systems for remote access in the cloud which the maintenance technician can use to access the different components. Solutions of this kind are currently of particular interest for small and medium-sized enterprises (SMEs), as independent operations are often uneconomical, while cloud-based systems are affordable and offer advantages such as scalability, redundancy and pay-per-use. These cloud solutions, however, lead to the asset owner having only very limited control over the security of these components, while they may still be connected directly to local production. Potential threat scenarios 1. Interference with or disruption of communication between local production and the outsourced (cloud) components, e.g. by denial-of-service attacks. Cascade effects can also impair local production. 2. Exploitation of implementation errors or insufficient security mechanisms in order to gain access to data stored externally (data theft, deletion). 3. If a cloud provider's clients are insufficiently separated, attacks on other cloud services may lead to interferences (collateral damage). Countermeasures 1. Contractual obligation of operators of external components to provide a sufficient security level, e.g. through a service-level agreement (SLA). 2. Use of trusted and, if possible, certified service providers. 3. Operation of a private cloud to retain control and protect process know-how. 4. Use of sufficiently strong cryptographic mechanisms (encryption, integrity protection) to protect the data stored in the cloud. 5. Use of Virtual Private Networks (VPN) to secure the connection between local production and external components. BSI-CS 005 Version 1.10 of 03/26/2014 Page 13 of 20

14 10. (D)DoS Attacks RARE (1) HIGH (3) MODERATE (2) EASY (1) Description of the problem & causes Wired as well as wireless connections are used for communication between the components of an ICS. If these connections are interrupted, measuring and control data cannot be transmitted anymore, for example. Another option is to overload a component with a very high number of queries, making it impossible to deliver a timely answer. This is called a (distributed) denial-of-service ((D)DoS), i.e. deliberately causing a malfunction, in some cases distributed over several threat agents. Potential threat scenarios 1. (D)DoS attacks on the internet connection of central or remote components: This can be done, among others, by botnets a threat agent can hire, for example. In addition, "hacktivism" groups such as Anonymous are increasingly relevant in this context. 2. DoS attacks on the interfaces of individual components: This type of attack interrupts the processing logic of a component using specific messages and causes it to crash. This can affect control devices or central components (e.g. databases or application servers), among others. 3. Attacks on wireless connections such as WLAN or mobile communications networks (GSM, UMTS, LTE). This can be done, for example, by: a. the use of jammers disrupting or interfering with the corresponding frequency ranges, b. the use of fake base stations leading the attacked systems to connect with an incorrect wireless network, c. sending special data packages causing existing connections to be cancelled. Countermeasures 1. Strict configuration and hardening of network access points and communication channels (e.g. GSM networks). 2. To support the persons involved in contingency planning and defence from DDoS attacks, the BSI provides a document on DDoS mitigation 4 on the web pages of the Allianz für Cyber-Sicherheit ("Alliance for Cyber-Security"). 3. Use of dedicated, cabled connections for critical applications. 4. Where applicable: Installation of intrusion detection systems (IDS) to detect attacks and trigger alarms via alternative channels. 5. Redundant connection of components using different protocols and/or communication channels. 4 BSI-CS 005 Version 1.10 of 03/26/2014 Page 14 of 20

15 Additional Safeguards Basic countermeasures It is important to emphasise here that the described best practices are merely intended to enable the start of a structured security process within an ICS or the enterprise as a whole. The goal should be to introduce a suitable information security management on the basis of established standards for both cyber security in general and ICS security specifically. For example: IT-Grundschutz ("IT baseline protection") based on ISO , ISO/IEC series 6, VDI/VDE , IEC Building on this, an information security management system (ISMS) for ICS operation should be understood as a part of the superordinate management system of an enterprise. It also takes into account the specific risks of ICS and aims to permanently control, check, maintain and continually improve information security. Most importantly, you should consider the following elementary controls when introducing an ISMS. They serve to provide an overview of the present systems and their infrastructure, to define responsibilities and to gain awareness of the existing risks. It is useful to implement controls as early as possible to allow further planning to be as comprehensive and cost-efficient as possible. Setting up a security organisation: This comprehensive task serves to define roles relevant for security and the associated responsibilities for the security of ICS components. This responsibility for security does not only concern the individuals fulfilling these roles. The entire staff of an enterprise have to become aware of this responsibility and assume it. The security of ICS should be a natural part of the operational concept. Creation and maintenance of documentation: Documentation and information concerning the security of ICS components (e.g. risk and weakness analyses, network plans, network management, configuration, security programme and organisation) should be created, maintained and sufficiently protected against unauthorised access and, if applicable, included in standards for service providers and product suppliers. This documentation enables you to avoid incompatibilities and inconsistencies of software in specific versions and configurations and to identify parts of the installation affected by weaknesses. Physical and logical network plans in particular enable stringent management of the infrastructure and the contained components. Risk management: One of the most important tasks is risk management. In its context, all functional as well as security-specific resources of an ICS should be considered. These should be systematically analysed and evaluated. The goal is to identify and prioritise threats and to derive suitable technical as well as organisational countermeasures. This is the only way for an enterprise to substantially assess its security level and the residual risks BSI-CS 005 Version 1.10 of 03/26/2014 Page 15 of 20

16 Contingency plan management and restart procedures: Following an incident, the processes for continued operation have to be defined enabling structured recommissioning. For secure and uninterrupted operation it is necessary for service and maintenance personnel as well as administrators to know all ICS features and to be able to operate them. All the documents required for operation and commissioning in the form of administrator and user guides have to be available and accessible for responsible and authorised staff. Weakness reduction: As the threats continually change and develop, regular countermeasures are required in order to fend off potential attacks. In addition to staff training and subscription to security notifications (e.g. by component suppliers or the Alliance for cyber security), this also includes actively searching for vulnerabilities. These countermeasures must be carried out regularly. Detection of attacks and adequate responses: To detect and understand attacks, IT- and ICS-specific procedures as well as internal and external notification channels have to be defined. 9 The role of corporate management It is the duty of the management of a company to spell out the rules governing cyber security and to communicate them to everyone concerned in a suitable way. Suitable control mechanisms have to be introduced to sustain the fulfilment of these expectations. It is important not to consider cyber security as a secondary goal to be implicitly fulfilled in the context of the implementation of functional requirements. On the contrary, cyber security is one of the critical aspects for attaining the corporate objectives. Aside from economic considerations, the management is obliged to ensure a sufficient level of security because shareholders or management may be personally liable. All in all, cyber security is therefore also in the management's own interest, which is why the required personnel and funds should be provided. To enable corporate management to achieve the general conditions for a sufficient level of cyber security, adequate support must be provided by the technical personnel. This includes awareness of the effects of potential security incidents and providing target-group-specific information about the current state of implementation of cyber security. As part of strategic planning, corporate management has to be involved in all important decisions at an early stage. The remaining residual risks as well as instances of urgent need for action have to be emphasised in this context. The technical personnel should be aware that security is also in the interest of corporate management, but the relevant bases for decision-making should also be made transparent to enable the corporate management to act accordingly. Countermeasures against subsequent attacks Various suitable countermeasures exist for assurance against potential subsequent attacks. These include physical assurance of the infrastructure against unauthorised local access, recording and evaluation of logging data and hardening of IT and ICS components. These controls, as well as additional countermeasures, are explained in detail in the BSI's ICS Security Compendium. It is strongly recommended to implement this kind of controls. The widespread opinion that singular safeguards or security products are enough to achieve a sufficient security level can have disastrous consequences. On the contrary, implementationof the so-called defence-in-depth approach, i.e. a multi-layered security concept in which the chosen security mechanisms form suitable redundancies and offer mutual support will yield the desired results. 9 BSI-CS 005 Version 1.10 of 03/26/2014 Page 16 of 20

17 Self-Check The following list of questions can assist in self-assessment of the security level in your enterprise. Small and medium-sized enterprises (SMEs) can answer the questions with the entire enterprise in mind. For larger enterprises it is recommended to limit this to individual parts, such as an individual production line. It is recommended and might even be necessary not to answer the questions on your own, but discuss them with the individuals in charge of IT and production. Please assess for each of the individual countermeasures whether they have been implemented completely, in part or not at all for the enterprise or the analysed part. A score is given for each field. Add the scores obtained for each section and enter the sum in the line with the corresponding headline. The following figure shows an example. In case a Figure 2: Example of filled-in self-check sheet safeguard is not required, please write down the full score. This is the case for item 5, for example, if there are no access points for remote maintenance in the entire enterprise. Finally, add up all obtained scores and enter them into the scale in the last line. The result provides a first self-assessment of your protection against the most critical threats in the area of industrial control systems and/or industrial IT. This self-check may be considered as a first orientation for the security assessment of an installation or an enterprise. It cannot and must not replace a comprehensive cyber-security analysis. For this reason, you should also treat the obtained total score with caution. The following recommendations apply depending on the obtained score: 0-25: The current situation on and the Top 10 Threats and Countermeasures for ICS illustrate why you should act now : Some security mechanisms have already been implemented. However, there is need for action regarding elementary countermeasures cited in the present Top : Perform a risk analysis in order to analyse which security mechanisms you need to improve most urgently to be protected against certain threats : Your enterprise already handles cyber security responsibly. This does not mean, however, that you are reliably protected against cyber attacks. You should pursue the path to a systematic and comprehensive approach such as IT-Grundschutz or IEC The BSI's ICS Security Compendium supports you on this path. In the context of addressing these questions, you may already have begun to discuss with your co-workers which measures would be necessary and useful in order to improve security. This is a great opportunity that should be used as a starting point for further steps. The results obtained from the self-check can also be used to discuss the issue of enterprise security in general and in production in particular with the management. BSI-CS 005 Version 1.10 of 03/26/2014 Page 17 of 20

18 Not implemented Partly implemented Completely implemented 1 Malware Infection via Internet and Intranet The enterprise network is segmented, in particular to separate office and ICS networks. Virus protection has been introduced for , file servers, PCs as well as on network boundaries between ICS and other networks It is impossible to access the Internet from the ICS network Introduction of Malware on Removable Media and External Hardware The simultaneous private and professional use of hardware is prohibited Removable media are checked for malware before use There are rules for the use of hardware by third-party personnel Social Engineering Regular training and awareness measures on cyber security are implemented for all employees. Standards (policies) regulate the use of technical systems by staff. The compliance with policies is controlled Technical security mechanisms enforce the compliance with policies Human Error and Sabotage The "need to know" principle has been introduced to prevent sensitive information from being distributed more widely than necessary. There are sufficient standards in place regarding security and configuration management. Technical controls monitor the current system configurations and states Intrusion via Remote Access Remote access always requires authentication and is encrypted Remote access is fine-grained, i.e. access only to the required component instead of the entire subnet. There are security standards in place for computers performing remote maintenance (e.g. up-to-date virus protection). BSI-CS 005 Version 1.10 of 03/26/2014 Page 18 of 20

19 Not implemented Partly implemented Completely implemented 6 Control Components Connected to the Internet There is no direct connection of control components with the Internet Configuration of control components has been hardened (disabling unneeded services, changing default passwords etc.). Additional controls such as firewalls and VPN solutions are used. 7 Technical Malfunctions and Force Majeure Security aspects are considered during selection of components (e.g. based on ISA99 or BDEW white paper). Important IT systems feature a redundant design and a distributed structure. Procedures have been defined to respond to system failure / emergency situations Compromising of Smartphones in the Production Environment Read access only is permitted on ICS systems, but no modification of operating or production parameters. Smartphones used feature a strict basic configuration (in particular no jailbreaking/rooting). Smartphone applications must be obtained from a certified source (App Store) Compromising of Extranet and Cloud Components Users of external components are obliged to comply with a sufficient security level, e.g. through SLA Only trusted and, if possible, certified service providers are used. Operations are conducted in the form of a private cloud or with guaranteed strict separation of clients. 10 (D)DoS Attacks Mechanisms for detection and alerting in case of significant changes to network traffic have been introduced. External connections of critical systems are designed with redundancy via different communication technologies. Contingency planning documents how to proceed in case of a DDoS attack as well as the relevant external contacts. TOTAL SCORE (0-100 points) BSI-CS 005 Version 1.10 of 03/26/2014 Page 19 of 20

20 Many risks and threats cannot be minimised by the implementation of technical controls alone, but rather by a combination of organisational regulations and technical controls. The countermeasures proposed in the present document are generally suitable to limit the identified threats with regard to their probability of occurrence as well as their impact. It is important for the understanding of security of all persons involved that certain residual risks will always remain. For further information on security in factory automation and process control see the BSI's ICS Security Compendium, which is available free of charge. Among other things, it describes controls intended to be used in addition to the primary attacks described here for protection against subsequent attacks in the context of a defence-in-depth approach. The ICS Security Compendium, as well as further publications and tools, are available on the BSI website: If you have any further questions regarding security in industrial control systems, you can contact the BSI under ics-sec@bsi.bund.de Here you can also obtain further information on issues such as raising employee awareness, security management, technical requirements, as well as many more topics related to Industrial Control Systems. By means of the BSI publications, the Federal Office for Information Security (BSI) publishes documents about current topics in the field of cyber security. Comments and advice from readers can be sent to info@cyber-allianz.de. BSI-CS 005 Version 1.10 of 03/26/2014 Page 20 of 20